If recent telemetry from Mozilla is indeed representative of the Internet, then it would appear that half of all traffic in transit is encrypted, a more than 10 percent jump from last December.
The emergence of free Certificate Authorities such as Let’s Encrypt, and similar gratis HTTPS certificate services offered by Cloudflare, Amazon and others has resulted in unprecedented growth of encrypted traffic.
“SSL was too difficult for too long, and in the last year, it’s gotten a lot easier,” said Josh Aas, executive director of the Internet Security Research Group and former Mozilla developer. “A lot of people know they want to use SSL, but the cost and difficulty has been a problem.”
Let’s Encrypt in particular has attracted a number of large hosting providers to turn on SSL, and Aas said that becomes a differentiator.
“It becomes an expected thing for customers and encourages ones who don’t have it to get it,” he said. “We’re seeing more competition with SSL as a perk at the hosting level.”
Aas last week said in a couple of tweets that not only for the first time had more than 50 percent of Internet traffic for a single day been encrypted, but also that Let’s Encrypt had added more than a one million new certificates in the past week. In June, the initiative celebrated the issuance of its five millionth certificate.
https://twitter.com/0xjosh/status/786971412959420424
https://twitter.com/0xjosh/status/786942112910544896
“One million was added in one week, and more since then,” Aas said. “We went roughly from 6.5 million issued certificates to 7.5 million.”
Aas said three large hosting providers switching over to free Let’s Encrypt certs accounts for the surge, in addition to a generally high load of new certs.
“We’re pretty happy with this growth; we’ve blown past our internal estimates,” Aas said. “I was pretty surprised when I saw the 50 percent number just because I wasn’t really thinking about it. I pulled up the numbers one day and saw we hit this milestone. That’s for one day, the moving average will soon be at 50 percent as well and will not go below 50 percent again.
“I just love to think about how much data we’re talking about,” Aas said. “The reality on the ground is there’s a whole bunch of data that’s encrypted now that wouldn’t have been before. Going from 40 percent (39.5 percent when Let’s Encrypt entered its public beta last December) to 50 percent is a massive amount. It’s hard to imagine what 10 percent of daily transfer on the Internet is like.”
Let’s Encrypt provides a free and automated process for creating, validating, installing and renewing of certificates. Its ACME, or Automated Certificate Management Environment, is an open API that helps hosting providers and other users, for example, manage certificate lifecycles.
“Getting the certificate is just one part of the lifecycle,” Aas said. “There are a bunch of other functions such as renewing them and revocation. With the API, you can do this in an automated way, check the status of a cert and manage the whole lifecycle easily.”
While Let’s Encrypt is a big player in bringing free SSL to the web, others such as CloudFlare, Amazon, Aakamai, WordPress and others have made SSL a free and default option in some cases.
CloudFlare two years ago launched a new service called Universal SSL that essentially doubled the number of SSL-protected sites on the Internet overnight. Cloudflare provides an SSL certificate for every customer and will accept HTTPS connections for the main domain and first tier subdomains.
In January, Amazon joined the fray and started provisioning free SSL certs as verified by Amazon’s certificate authority and Amazon Trust Services. Only customers who use Amazon Web Services Elastic Load Balancing or its content delivery network, Amazon CloudFront, were able to apply for certificates at the outset.